"For Apple, the use of government forensic tools by criminal hackers raises questions about how cooperative it may be with Elcomsoft. The Russian company’s tool, as Zdziarski describes it, doesn't depend on any 'backdoor' agreement with Apple and instead required Elcomsoft to fully reverse engineer Apple’s protocol for communicating between iCloud and its iOS devices. But Zdziarski argues that Apple could still have done more to make that reverse engineering more difficult or impossible." Meanwhile, Nik Cubrilovic has waded into the data leak subculture that led to this incident and provides insight into the tech and the thinking behind it.

Use one very strong password for the password manager. That allows you to have hundreds of different passwords so each site you visit uses a different password and you don't need to remember them. If you use a strong enough password then you'll be fine.

Actually, I recommend using multiple safes/vaults/etc with different passwords; make the passwords appropriate to the contents of the safe; and treat the safes appropriate relative to their contents.

My safe with my passwords for throwaway email accounts and forum accounts, club memberships, etc is fairly simple. (It still counts as strong by all usual metrics, but its easy for me to remember and type in, which is good because I have to type it several times a day on average -- sometimes via a smartphone keyboard. Its sync'd via cloud to my smart phone, laptop, work computer, etc.

My safe with passwords for my life savings, domain registrar, email account and other assets which would be quite devastating to lose is MUCH longer and stronger, and it isn't synchronized with my devices. (Actually I have 4 - 5 safes with different groups of passwords in them.)

If you use a strong enough password then you'll be fine.

Unless you get hit with a keylogger. Then you lose everything. Does it really even make sense to have your online pay-parking app passwords and your numbered offshore banking in the same vault? All protected by the same password?

Its just silly.

And its another reason why I've split things up. If the phone gets compromised, my high value passwords aren't even in it. My higher value password safes get opened less frequently and on fewer systems, so a keylogger will have to be in the right system and wait longer to get into them -- giving me better odds of dodging the bullet, and more time to detect and remove them.

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

Password 'managers' make me nervous(unless based on proper crypto/key storage ICs with actual vetting by people who actually care, which is rare indeed, if it exists at all, since the people who care that much don't use passwords, just proper cryptographic authentication); but they do have the advantage of allowing those of us without eidetic memories to use passwords that might actually be strong enough to resist casual attack, and force the casual attacker to use the ultra-weak password reset process inst

You need to take a step back and consider the actual threat. If you are going to post the ciphered content of your password database on the front page of Slashdot yes the cryptography better be done right.

If you going to keep it on your desktop or on your phone and NOT send it over the network. Than I would say the value it affords you in being able to use longer passwords, with greater randomness, and unique passwords for every account is a win. The only anyone is going to get hold of it is if they pwn your computing device. If they do that than they don't need to beak the crypto they will just wait with the keylogger running for your to unlock it and collect the secret.

At that point though you rather than $PUBLIC_WEBSITE have become the attackers target. Once we are talking about a targeted persistent attack, there is little any of us will do personally to be safe if our attackers are any better equipped/capable than script kiddies.

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

And yet, in reality, regardless of your personal security measures, you already have this today

It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.

All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

And yet, in reality, regardless of your personal security measures, you already have this today

It's called that one email address you have ALL of your accounts configured to send a password reset to when you forget it.

All you really need is access to your email and All Your Passwords are Belong to Us, so let's just stop bullshitting each other and bashing password managers. The overall security model sucks ass anyway.

I certainly dont have this today.

I've got 3 different email addresses and 1 phone number, this isn't including my work email and all ordered by security level. The password reset for slashdot doesn't go to the same email my address domain registrar or accountant. Below this I have another email address I use for signing onto services that I know are going to spam me. The low security accounts are not linked in any way to the high security accounts and my high security account is only accessed from device

If it is a trusted implementation, and you are using a very strong password (20 Characters, Upper case, Lower Case, numbers and symbols.), then you use unique generated passwords for each site you are really quite safe.

I'm sorry but when are password managers ever a good idea? Having 1 place with ALL your passwords ready to be stolen.

If you don't want to put all your passwords in your password manager, you don't have to do so. However if you put all your second tier passwords in it (the ones that you use to maintain privacy rather than fiscal security), then you can make them much more complex without requiring ridiculous complexity to memorize. You can also save arbitrary answers to security questions (if the answer to your dog's name is saved as sFjksL23549&@*^*% rather than Fido, it's not possible to get from investigating pers

The point of security questions are to have things that you can remember without having to write them down. If you input random crap like you and others are suggesting you're just extending the stupidity to a different level OR being needlessly redundant, because then you have to write down what that stupid crap was. Which might as well be the same thing as writing down your password.

Not necessarily. Security questions are essentially the same thing as passwords in every respect, except they're giving a clue as to their answer. But there are ways to make security questions secure, some of which are the same for passwords. A) use sentences to answer the question. They may know your pet is named "Scout" but will they probably won't know the answer if it's, "My third pet who was a dog was named scout" (assuming you could use that long of answer). B) Security questions could be determined b

What good is a password manager when the answers to your security questions are public knowledge?

Many sites, including all the financial institutions that I deal with, use the security questions as an additional layer of authentication, rather than as a mechanism to bypass passwords. If I login from a device that they do not recognize, they will ask the security questions. If I answer them correctly, then I still have to enter the correct password.

My Mother's maiden name is 52Vg8alTkWjJ92AXLq8c. I was born in the town of iyUJuoE5go9pWhylGHJT, where I got my first pet, 9DurEntFD7WU9lpZJCKI.

If you ever tell the truth with a security question, you've done it wrong. If you ever use the same answer to a security question twice, you've done it wrong. If your answers have less entropy than your passwords, you've done it wrong.

WTF good is that gonna do when the "find my iPhone" feature allowed for unlimited password tries with NO TIME LIMIT as has been reported on several sites? You can have the best password ever created and if I can just brute force the site all day long without penalty then you be fucked friend, after all you can throw together an AMD octocore box for a couple hundred bucks that can crank out attempts in the millions if not tens of millions if you have a big enough pipe!

Lets face it, somebody at Apple done fucked up REAL bad and instead of admitting it they are doing a "you're holding it wrong" level of BS spinjob trying to cover it up.

1. The vulnerability is Security 101 stuff (even a good password, like “D0nM@tt1ngly!”, was still vulnerable).
2. The vulnerability was publicly known since May.
3. Apple defaults users into the cloud (and Apple makes it very hard to not store in the cloud).
4. Apple does not encourage two-factor authentication (it discourages this).
5. Two-factor authentication wouldn't have worked anyway (it is not actually enforced on iCloud).

A strong password CAN be easily remembered. How about remembering 10 and 11?

"Ten!!!!!!!!!!!"

That's 10 and eleven "!" characters.

There are a number of ways to calculate password effectiveness. If you assume zero knowledge of the password characteristics, then the 290 million years the website you linked to calculated may be accurate.

Hackers, however, have typically found that certain patterns are used by humans more frequently than others, and instead of brute-forcing the password from the beginning (following UTF-8 order " ", " ", " !"... etc.), you can instead skip a significant part of the overall password space by only testing these common patterns.

I prefer this tool [dropboxusercontent.com], which evaluates password entropy. The figures it comes up with do tend to presume that something about the structure of the password is known (i.e: in your example that it is a word followed by a repeating symbol), but IMO this is a good figure to base your password decisions off as it represents a worst-case scenario, and not the best-case scenario the tool you linked presumes.

Using that tooling instead, your passwords strength and estimated crack time is as follows:

password: Ten!!!!!!!!!!!

entropy: 18.669

crack time (seconds): 20.836

crack time (display): instant

score from 0 to 4: 0

calculation time (ms): 3

FWIW, (and purely for the sake of comparison) one of the passwords I use online has, according to this tool, an entropy of 61.819 and a crack time of 203355820622500.06s (about 6.4 million years). And yes, it's something I both change often and have memorized.

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

Modern social media can also be used to identify personal information of regular people.

If you look at the anon-in.com logs where they operate, you can see hackers asking each other "What car is this?" with posts of random hot girls cars that they collected from Facebook or wherever. They then use this to break the iCloud security questions for said hot girls and get their nudes.

Also, you don't even need social media accounts to be targeted via social media. Just having friends that posts pics with your bits of identifying info is enough.

If you are a celebrity, every douche and their brother's dog is going to be looking for nude photos. Don't take them, instead populate your collections with variations on goatse, it will maim the perps for life.

Remember 2008? Some random douche on 4chan just looked up her dog's name?

Security questions do not work for public figures. Almost none of them will hold up to people whose whole lives are pointlessly documented.

More to the point why does anybody use real information for security questions? As long as I can remember the answer the accuracy is irrelevant. Same with birthdays. If I decide some random date is my birthday it makes it a lot harder to guess.

If that were true there would be no religions or climate change deniers, they'd all be forgotten.

You're (apparently willfully obtusely) mixing up objective truth with what one believes to be true. It's always easier to remember facts that one has already learned (particularly from one's own past) than lies one has made up on the spot.

I can indeed imagine that in some cases it would be possible to find the answer to the password security questions by doing some googling about the celebrity.
With 2 factor authentication this would not have been an issue.
I still wonder how the hackers got access to the email addresses of the celebrities they targeted? Because this is the necessary first step. Sloppy industry agents perhaps?

what the heck are these people thinking? Putting nude photos of yourself on a phone and synching it every which way? It's one thing if you are Joe-nobody but being a celebriry is entirely different. That's just plain stupid.

If you don't want people to see pictures of you naked, don't take the pictures.And if you do, don't put them on a computer.And if you do, don't put them on a computer on the internet.And if you do, don't put them on someone else's computer on the internet.

f you don't want people to see pictures of you naked, don't take the pictures.

Yes, it's probably too much to ask for some security on your private files, nowadays. Options like "only sync photo's with permission" or "Do not sync" folders are way to complex to implement. So let's put the burden of dealing with failing technology on the consumer. After all, that worked really well for car vendors, right?

I foresee the day when Apple et al are going to pay HUGE settlements in class action suits if they keep up this rather cavalier attitude towards security.

What does this have to do with a secure method of log-in? If I make my password "password", then it's my own fault, not the login system's fault. You could say that they could require a strong password, which is great. Require it to be 10 characters, including at least 1 upper-case, 1 lower-case, 1 number, and one symbol. You know what the password will be then?

"P@$$w0rd12"

If you want to do better than that, we need to be using a public key system, and create a secure, reliable, easy method of managi

How hard is it to inspect a password and tell a person that it's just too weak and here are the rules, so please comply or die?

It's pretty hard. Whatever rules you use to automate the detection of weak passwords can be fooled. That was my point with "P@$$w0rd12". By most automated systems' ability to check, that's a strong password. Still, if you're running a dictionary attack, you're going to include things like that.

How hard is it to enforce two level authorization at sign-up?

Not necessarily easy, unless you can assume (a) everyone has whatever they need for the second factor; and (b) people will tolerate using the second factor. Even if you strictly enforce a second factor which send

Working systems are available, but fools want their iThing or $20 droid and then act all surprised when their genitals end up on 4chan. It's not a new problem when was it Paris hilton's sidekick got hacked again?

if you buy trash with security ranging from "fuck it we have none" to "well I guess we tried" because it's ooh shiney let's play flappy bird that is a choice with consequences.

Better education of users is the answer. To coin a car analogy, most people now know not to leave their purse, computer, other valuable items visible in their car, they take extra measures like leaving it in the boot/trunk or not leaving it there in the first place.

This was (and unfortunately still is) not always the case but because of advertising campaigns people tend to know they should be more aware.

I'd imagine that most of them really didn't want that stuff leaked - or they'd just leak them, themselves, in a coordinated manner.

Of course now that they are out, most of them will be working with their PR agent(s) to put as positive a spin on it as they can - be that to be indignant, outraged, shrugging it off, claiming it's not them, thinking of how they're going to put themselves in a PSA about password security so that their idolizing fans don't make the same mistake, etc.And, yes, some of them will p

1) They took nudes. So fscking what. The fact that in their private lives they decided to indulge in an activity that lots of people do isn’t something that should even be reported, much less held against them or effect their careers.

2) Basic human dignity should preclude assholes like the attackers from invading others privacy like this. (Yes, I know the world is full of assholes, and this is unreasonable dreaming, but still wrong of OP to blame the victim for someone else being an asshole.)

3) I believe Apple enables photo syncing to the cloud by default when you setup iCloud on a new device. (I could be wrong. It’s been a while since I setup a device from scratch rather than backup/restore.) I wouldn’t expect the vast majority of people to appreciate the gravity of having every pic you ever take immediately uploaded to a third party server. I consider that a serious falling of the tech industry for not educating people of the risks of using cloud-based services. I also wouldn’t expect the majority of iUsers to be able to find & disable the photo sync option nor to know how to expunge any images that might already have been uploaded. Blaming non-techies for being non-techies isn’t a reasonable approach.

So as far as assigning blame for this one:

1) The Hackers.2) Prudish, sex-hating, women-hating ‘mur’kans for blaming the victims.3) The press for seizing on this as news story of the month thus ensuring everyone knows to go searching for the pics.4) Tech industry for pushing cloud-based storage.5) Apple for not enabling password lockout on Find my Phone (assuming the reporting on that was accurate).6) Apple for default-enabled on photo sync (assuming my recollection on that is correct - I may be wrong).7) Their publicists/managers/etc for not knowing enough to a) ensure their emails were unguessable, b) insist they disable photo syncing on their devices, c) insist they enable two-factor auth, d) ensure complex passwords and non-public-records password reset answers, and e) monitor their emails for “new device accessed your account” or “password reset” notifications.

You’ll note the celebs aren’t in the above list of people who share in the blame here. I don’t even expect them to know enough to use good passwords. They’re ordinary humans whose focus should be on things not related to IT security. The people they undoubtedly pay good money to manage their careers and lives should have known better though. If not known enough themselves, known enough to contract with someone who did who could advise them appropriately.

what the heck are these people thinking? Putting valuables in your house, and installing windows so people can see right in? It's like they're INVITING robberies!!!

Criminal trespass is criminal trespass. It doesn't matter if it was "easy" to get to the photos - they were not yours, or anybody else's, to access without permission.

I don't think the debate is about whether the access of the photos was a crime, rather it is turning into a debate about the thought given, or not, of how sensitive information is being handled, in this case celebrity nude pics of themselves. Having valuables in my house and having windows in my house are both OK, but placing valuables right up against the front windows where a smash-and-grab can get them is stupid. If a person takes nude pics of themselves, then the person better understand that they hav

They can also provide individuals who want it - primarily high-profile individuals - stronger lock-downs such as only allowing registered devices to log in or require typing in a code that is texted to the person prior to completing the login, much like some banks already do.

You can use any phone with SMS support [apple.com] which seems pretty standard. Since people are typically syncing from their iPhones to the iCloud they usually have an iPhone, but it's possible to use a freebie 10 year old brick phone if you wanted.

And I am sure you realize that the 2factor Authorization as currently designed and utilized by Apple only protects against your account data being used to purchase things from the AppStore and interact with your account.

Details are at http://support.apple.com/kb/ht5570 [apple.com] and quoting from there:
It requires you to verify your identity using one of your devices before you can take any of these actions:

Apple always deny there is a problem, even after they fixed it. They denied the iPhone 4 antenna problems, but offered customers a free rubber bumper anyway. They denied problems with overheating MacBook Pros, but replaced the CPU boards anyway. They denied problems with moisture sensors but added exceptions to their warranty policies anyway. They denied iPod battery problems but reduced the replacement price from $250 to $50 anyway. They denied retina screen problems with their laptops but replaced ghosting ones anyway.

I imagine they will just quietly fix the problem and pretend it never existed. Probably their lawyers telling them to admit nothing, since most of these issues end up as lawsuits.

There's no real reason to think that Apple is at fault here, or even that all of the photos came from compromised accounts on iCloud. The rumor going around last I saw was that this was a collection that was acquired over sever years, contributed by many different people who acquired the photos from many different accounts that were attacked in many different ways. It wasn't gathered all at once from a single attack on iCloud. It was just leaked all at once.

I have no evidence of that-- just the rumor I've seen on a couple different sites-- but it makes more sense than a massive iCloud hack that scooped up all of these photos at once.

Yar, from what I've heard is that there is basically an underground ring that trades in these sorts of things -- not too dissimilar from the 'carding' groups. And, many different sources makes sense. File names in particular -- some are time stamps, others random characters. Pictures taken with a variety of phones (not all of which were iPhones etc.

You know, I'm really annoyed at Apple about this. They say that iCloud wasn't breached and it was a targeted account attack with weak passwords. But on Monday (the day after the pics were posted) they patched a flaw in Find My Friends where the account would be vulnerable to a dictionary attack:

The vulnerability allegedly discovered in the Find my iPhone service appears to have allowed attackers to use this method to guess passwords repeatedly without any sort of lockout or alert to the target. Once the password has been eventually matched, the attacker can then use it to access other iCloud functions freely.
A tool to exploit the weakness was uploaded to Github, where it remained for two days before being shared on Hacker News
Apple patched the service at 3.20am PT today. While it’s possible that the timing was coincidental, an iCloud exploit being posted online just two days before the photos appeared, and being patched shortly after the story broke, makes this seem unlikely. Apple has not yet responded to a request for comment.

so there was no icloud breach, but there was a bug that enabled a brute force attack. It's not known that this exploit was used on the celebrities, but a tool that exploits this bug was recently posted. Ok...

also, super unclassy for Apple to blame the victim, especially when these types of weaknesses are buried in their code.

Yes, and I just don't believe them. It's super-bad press for them a week before they release their new device.

The core problem is that in order to improve iCloud use they have actively encouraged users during the signup process to enable iCloud syncing - and default settings push all of your photos, docs and data. For a time-pressed celeb who may not be that tech savvy this is just asking for trouble.

I'm a bit surprised by the number of people who send around naked photos of themselves though. I must be in

The pics were apparently circulating over a week ago in some parts of the Internet, and were, by all indications, collected over the course of several months from a variety of sources (i.e. not all of the celebrities are in the Apple ecosystem; a number of them use Android). The "iBrute" exploit code didn't become available until earlier this week.

There's actually a fairly detailed breakdown of this and similar attacks [nikcub.com] already available, most of which rely on various social engineering techniques, basic detective work, or turning (ex-)friends of the celebrities against them to get malware installed or procure more intimate information (sometimes in exchange for receiving their own copies of the pics).

Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.

Finally, pointing out that they're not responsible for the data being compromised is not the same as blaming the victims. As the article I linked mentions, in many cases these celebrities may not have ever fallen for a phishing attack or given their password to "tech support" over the phone. The only error they may have made was in keeping poor company.

WaPo article [washingtonpost.com] "Apple then goes on to offer some security suggestions for iCloud users who might be confused about how to protect themselves. The subtext is clear: If there's anything wrong here, it's in the way that individual users secured their accounts."

Apple press release [macresource.com]: "To protect against this type of attack, we advise all users to always use a strong password".

read different things into it, but the fact remains: human being suck at passwords. we have sucked at passwords for 30 years, and we wil

I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?

I thought Find My iPhone didn't lock accounts after too many failed logins? This was discussed in many twitter conversations yesterday and how the script used no longer works since apple updated the system. I call that a failure in Apple's security. Who the hell forgets to put in that kind of fail safe anymore?

As far as I know, the only website that I use that enforces such a limit is my bank, and even there I think it is heavy-handed. They could just block you for an hour after three failed attempts, or make the time exponential, or something.

Logging in to FMi will be a relatively slow process anyway. A full brute-force attempt is extremely unlikely to succeed, so scripting only makes sense if the attacker knows at least some of the password. That is, if you want to try if one of 'fido1' to 'fido9999' is the rig

In combination with iCloud credentials obtained with iBrute, the password-cracking software for iCloud released on Github over the weekend, EPPB lets anyone impersonate a victimâ(TM)s iPhone and download its full backup rather than the more limited data accessible on iCloud.com.

So basically, in combination with your password, this tools let's you access resources secured by your password. Amazing! Next up you'll tell me there's a tool that lets you open my front door in combination with a copy of my house key!

Let's put this another way -- you tell some/.er that he can buy a new iPhone, enter his password and immediately restore from an iCloud backup. Logically then, we expect that he understands that the password controls access to the backup, since the only thing he needed to pr

Using the correct answer to a security question, you can reset the password for the backup. After that, you can download it and then apply the password you just entered. So the security is as strong as the weakest link, in this case still most likely the security questions.

If your system does not offer any kind of brute force protection mechanism at all, which Find My iPhone does not seem to have based on my readings, then your system is broken by design. Brute force protections like 'only allow 10 login attempts within 5 minutes, and then block that IP from all login attempts for 30 minutes" are so trivial to implement that they should be part of any authentication system.

Apple obviously wants iCloud and your ITMS credentials to be the iGateway to your life and all your devices and whatnot. They also emphasize security, elegance, and ease of use in their advertising, and cater to a relatively upmarket audience, for the most part.

Why, then, can you not even buy any serious security? Yes, they have 'two factor authentication', of the kind where you have a username, password, and they send you a temporary PIN to one of your devices; but money simply cannot buy a certificate authentication mechanism. Nor an RSA-fob or equivalent. Hell, your WoW character can be protected by a hardware auth fob; but your entire iLife can't?

In the end(while it may well be true) Apple's insistence that the hack was based on guessing/gaining user credentials, rather than attacking Apple code, just doesn't matter. User credentials are always fairly vulnerable. If they want people to put their life 'in the cloud', they are going to have to do better than that(especially if they want celebrity users, since that's a userbase that more or less automatically includes insane stalkers).

I think the issue is that security isn't pretty, and Apple wants pretty. Look at the two-factor authentication. Having to wait until a PIN is sent to you before you can access whatever? That isn't elegant at all (from Apple's POV. It removes the one click convenience.). Personally, I'd rather have the security, but I'm a geek, like most people on Slashdot.

People don't post nude pics to the cloud.They have a little check box in their iPhone named something like "synch photos with your mac via icloud".The checkbox is checked by default when you buy the phone.All new photos are automatically transferred to the iCloud and when you open your Mac at home it "magically" shows up there.No one ever is doing a "now I have to upload my photos to the cloud" thing. So most people don't even know that their photos are up there.